Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #7

February 16, 2005

SANS 2005, in San Diego in early April (on the ocean) is the largest security and audit training conference and expo in the world. Extraordinary teachers present the most current tools and techniques. Details at http://www.sans.org/sans2005

OMB Wants All Agencies to Use Air Force's Standardized, Securely Configured Model (9/7 February 2005)

Officials at the Office of Management and Budget's (OMB) Office of e-Government and Information Technology consider the Air Force's decision to use standardized, securely configured software throughout the service could prove to be a good model for all federal agencies. The plan allows for automatic patch installation and saves a great deal of money on oth contract consolidation and cost avoidance for unnecessary patch testing. In a related story, OMB and DHS (Department of Homeland Security) officials will lead an interagency task force on developing common solutions for cyber security; the task force aims to increase common processes to save money. -http://www.fcw.com/fcw/articles/2005/0207/news-afpatch-02-07-05.asp-http://www.fcw.com/fcw/articles/2005/0207/web-omb-02-09-05.asp[Editor's Note (Schneier): I agree that the decision to use standard, securely configured software is a good one. (See my essay on the subject from several years ago -http://www.schneier.com/crypto-gram-9904.html#different .) I'm not sure, however, that "Microsoft" and "securely configured" belong in the same product description. (Pescatore): Using standardized, security configured software across agencies is a good thing but the Air Force deal with Microsoft obviously only covered Microsoft products. Most large enterprises have much Linux and Unix software and having separate approaches for each vendors software makes no sense. Putting vulnerability management processes in place is much smarter than just saving money in the short run by locking into a single vendor. (Paller): Two clarifications: Microsoft gets kudos for stepping up to help finalize the agreed upon benchmarks that had already gotten NSA, Center for Internet Security, NIST, and DISA support. Now there is one agreed upon set of benchmark configurations. Those benchmarks facilitated the Air Force procurement. Similar efforts for other operating systems and major applications are under way. This is not a Microsoft-only initiative. ]

Man Suing Bank for Cyber Theft Losses (8 February 2005)

Miami businessman Joe Lopez is suing Bank of America for alleged "negligence in failing to protect his account from known risks" which resulted in an unauthorized wire transfer of more than US$90,000 from his on-line account. A forensic investigation of Lopez's PCs revealed they had been infected with the Coreflood Trojan which in theory allowed the cyber thieves to steal banking account numbers and passwords. Lopez's case alleges Bank of America knew of the danger posed by Coreflood but failed to inform its customers. The case is believed to be the first in which someone has sued a bank for cyber crime losses in the US; the attorney hopes the suit will attain class action status. -http://www.theregister.co.uk/2005/02/08/e-banking_trojan_lawsuit/print.html[Editor's Note (Ranum): This is an interesting case. If the plaintiff wins, then banks own responsibility for viruses and malcode on end-users' computers. My guess is that's not going to happen. ]

Gartner Warns Companies Not to be Hasty in Switch to Firefox (10 February 2005)

Gartner warns that companies should think carefully before switching to Firefox. While the open source browser has seen a growing popularity, some of the features that make it so appealing may not last. As its market share grows, Firefox is likely to be targeted more frequently by malware and attackers. -http://www.computerworld.com/printthis/2005/0,4814,99685,00.html[Editor's Note (Pescatore): What the most recent Gartner report actually concluded was "Organizations should not embark on a wholesale switch to Firefox in the near term, but should consider ways to manage browser coexistence because that is the most likely long-term outcome." The security issues were basically (1) while there are definite security advantages to using Firefox, those related to security through obscurity for Firefox won't last forever and (2) since most enterprises will need to have IE running even if users are mostly browsing with Firefox, so enterprises need to make sure they have configuration management and software update to patch Firefox vulnerabilities just like they do Windows vulnerabilities. (Schneier): Gartner seems to be saying that the security aspects of Firefox will diminish as time goes on and it's targeted by more malware developers -- but this assumes that security is the only reason people use it. The article mentions the additional features, but doesn't take this into comparison in the prediction. (Grefer): Several of the appealing Firefox features are also available for Internet Explorer when using the Internet Explorer add-on Maxthon (formerly known as MyIE2), a donate-ware product that may be used free of charge without donation. -http://www.maxthon.com/]

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Government Reform Committee Reorganized (9 February 2005)

Representative Tom Davis (R-Va.), who chairs the House Government Reform Committee, has eliminated the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. The issues covered by that subcommittee, including e-government, cyber security and information sharing, will now have the attention of the full committee. Davis also reorganized the seven subcommittees, all of which will have the opportunity to work on technology issues. -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35046[Editor's Note (Schneier): I keep reading about various government agencies that are involved in cybersecurity. I'm not always a fan of centralization, but can't the government at least get its ducks sorted out, if not all in a row? ]

LEGISLATION

Legislators have introduced The Voting Integrity and Verification Act which would require touch screen, optical scanning and lever voting machines to include "a verifiable paper trail and audit capability in time for the 2006 elections." Some states already have similar requirements in place, but there is no such standard in 2002's Help America Vote Act. The proposed legislation has bipartisan support. -http://news.com.com/2102-1028_3-5571030.html?tag=st.util.print[Editor's Note (Schultz): The time for required paper audit trails in electronic voting is here; hopefully, this legislation will pass without any significant hitches. ]

Microsoft is looking into reports of Trojan horse program, BankAsh-A, that attacks the company's anti-spyware product, which is still in beta. BankAsh-A tries to disable Microsoft AntiSpyware and to steal passwords and banking account information. -http://www.vnunet.com/news/1161161-http://www.itweb.co.za/sections/quickprint/print.asp?StoryID=149607[Editor's Note (Shpantzer): This week's rash of stories of serious vulnerabilities in defensive applications is interesting. There used to be a time when these applications were trusted and, if you had them, you were doing alright against a vanilla attack against opportunistic targets. This past year we've seen more and more attack vectors that have anticipated these defensive applications, seeking to disable them, before continuing on to steal the data or hosing a third party site with hijacked bandwidth. ]

ATTACKS AND INTRUSIONS

The FBI is reportedly investigating denial-of-service attacks on Alaska's state computer network. The Department of Homeland security and the CIA are also believed to be involved, but officials are not commenting on the case. -http://www.adn.com/front/story/6140359p-6022520c.html

The Problem With the Not-So-Secret Question (9 February 2005)

Bruce Schneier points out that the secret question method often used as authentication when passwords are forgotten is an even less secure protocol than are passwords. Schneier describes one occasion when he forgot his passwords and because he had generated a nonsense-random answer to the secret question by slapping at the keyboard, he had to call the organization to get his password reset. Schneier points out that it should be harder to access an account if a password is forgotten, not easier; the answers to secret questions are often easy to divine. Schneier concludes that "passwords have reached the end of their useful life." -http://www.computerworld.com/printthis/2005/0,4814,99628,00.html

VoIP Security Alliance Formed (8 February 2005)

The VoIP Security Alliance comprises more than 20 security and networking organizations; the group plans to monitor and help mitigate new and existing VoIP security risks. Attacks on VoIP will become more likely as it becomes more widely used, and as data and voice networks converge. -http://www.theregister.co.uk/2005/02/08/voip_security/print.html-http://www.voipsa.org/[Editor's Note: (Shpantzer): I lurk on the email list maintained by voipsa.org and have learned quite a bit about this topic. ]===end===

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/